PageBuster: gather dumps of all executable pages of packed processes

by do son · Published May 18, 2021 · Updated May 1, 2024

PageBuster

There are plenty of scenarios in which the ability to dump executable pages is highly desirable. Of course, there are many methods, some of which standard de facto, but it is not always as easy as it seems.

For example, think about the case of packed malware samples. Run-time packers are often used by malware-writers to obfuscate their code and hinder static analysis. Packers can be of growing complexity, and, in many cases, a precise moment in time when the entire original code is completely unpacked in memory doesn’t even exist.

Therefore, the goals of PageBuster are:

To dump all the executable pages, without assuming there is a moment in time where the program is fully unpacked;
To do this in a stealthy way (no VM, no ptrace).

In particular, given the widespread use of packers and their variety, our objective is to have a single all-encompassing solution, as opposed to packer-specific ones.

Ultimately, PageBuster fits in the context of the rev.ng decompiler. Specifically, it is related to what we call MetaAddress. Among other things, a MetaAddress enables you to represent an absolute value of an address together with a timestamp (epoch), so that it can be used to track how a memory location changes during the execution of a program. Frequently, you can have different codes at different moments at the same address during program execution. PageBuster was designed around this simple yet effective data structure.

For more information, please refer to our blogpost.

There are two PageBuster implementations: a prototype user-space-only and the full-fledged one, employing with a kernel module. The former is described in userpagebuster/. The rest of this document describes the latter.